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An improved file access security technique and associated 
^paratus accesses data which is stored in encrypted form 
under one encryption key and re-stores the data re-encrypted 
under another encryption key, and produces a record of each 
access and data re-encryption both as the control source of 
encryption keys for access and re-entiy of encrypted data and 
as a secured audit record of users that had access to each file. 
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BACKGROUND OF TfJE INVENTION 

Many known computer-controlled operations on secured data files require verification of the identity of an individual sei 
access a file before the data (usually in encrypted form) can be accessed (see, for example, U.S. Pat. Nos. 3,938,091, 3,5 
3,611,293 and 4,198,619). In addition, many known record-securing schemes includmg those associated with credit card 
require verification of both ttie authority of the using individual and the authenticity of the data in the record, to protect i 
unauthorized users and against counterfeit or duplicate records. Schemes of this type are disclosed in U.S. Pat. Nos. 4,30 
4,328,414 and 4,357,429. 

One disadvantage associated with computer-controlled security schemes of these types is that there is typically no indica 
on file of which secured record was accessed, or by whom. 
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SUMN^y OF THE INVENTION 

In accordance with the preferred embodiment of the present invention, a dynamic record of encryption control keys used 
access initially and at all subsequent occasions to secured encrypted files is generated both as an active element of the ac 
- - scheme-and-as a-^eGuredrhistoriGTeGord-for-audit-puiposes-Gf^ll-^ccesses to^nciypted-filesrln-ad^^ 

outdated jSles are prevented once a file is accessed, even merely for display without alteration, so that a file once accesse 
therefore with its security compromised, can be re-secured against duplication, substitution, and re-use. Schemes of this 
particularly useful in bankmg and funds-transfer operations where proper access initially to an account file, for example, 
effect a withdrawal of flmds, must thereafter be carefully controlled to avoid such disastrous practices as multiple replicf 
the same operation coupled with substitution of the original balance back mto the file. Further, the historic record of acc( 
files produced by the present invention constitutes an audit record in encrypted form of such accesses. 



DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a pictorial block diagram showing one application of the apparatus of the present invention; 

FIG. 2 is a flow chart illustrating the operation of the apparatus of FIG. 1; 

FIG. 3 is a block diagram of the illustrated embodiment of the present invention; and 

FIG. 4 is a chart illustrating the formation and operation of the key usage control file according to the present invention. 



DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring now to FIG. 1, there is shown a pictorial block diagram of the present invention illustratmg the addition of an ; 
securing module 9 to a typical computer system comprising a central-processing unit 11, keyboard controller 13, and me 
means 15, 17 for storing files. The memoiy means 15, 17 may use any conventional form of storage technology such as 
semiconductor memoiy, magnetic memory in core, crystal, disc, drum, or tape form, and any combinations thereof, to st 
data 17 to which access is to be controlled, and to store access authorization mformation 15 about individuals and entitie 
may access the stored data 17. Keyboard 13 provides manual-entry access to the computer system in conventional mann- 
representative of other computer-accessing schemes such as by another computer system, and the like. 

In accordance with the present hivention, such a typical computer system is modified to include access-securing module 
operates with the computer system to progressively reenciypt the data m storage in memory means 17 each time a file is 
accessed, and optionaUy to update the access authorization information m storage m memoiy means 15 in response to 
authorizations granted, and to generate historic files in eucrypted fonn of the encryption keys used to decrypt and reencr 
file accessed fi-om memoiy means 17. Li addition, the module 9 operates in a controlled remitialization mode to restore £ 
in memory means 1 7 to a new, standard encryption key after numerous accesses of files m storage 1 7 have been aulhori? 
number of accesses before requiring reinitialization is determined by the memoiy capacity m the module 9. 

Refwring now to FIGS, 2 and 3 in addition to FIG; 1, there are shown a flow chart and a block diagram, respectively, illi 
the operation of the system of FIG. 1 under control of a central processing unit 1 1. In operation, a person or entity, R, ret 
access to a particular file may enter personal identification numbers, mformation about the particular file, and the like, v: 
keyboard 13. Optionally, a personal-identity verification routine 21 may be performed in conventional manner (as disclo 
example, ui U. S. Pat No. 3,938,091 or 4,198,619) and the access-authorization files 15 may be searched for autiiorizati* 
access the requested file. All such files m memory means 17 are initially encrypted with an mitial key code, KO, in a 
conventional manner (for example, using the Data Enciyption Standard module available from the National Bureau of 
Standards) by enaypting the file data in encryption module 21 with key code, KO, fi-om key code generator 23. 

With authorization established 25, the particular file #X may be accessed, but decrypting the file #X requires the correct 
code, For this purpose, the key-usage control file 19, later described herein m detail, is searched to determine if the file A 
previously accessed. The conditions of prior access, namely, that it was, or it was not previously accessed, are possible. ] 
not, then file #X will not appear in the key-usage control file, an indication that it appears in storage 17 encrypted with tl 
key code, KO. Key generator 23 is capable of generating a sequence of different key codes KO, Kl, K2, K3 . . . Kn and is 
supply key code KO to the decryption 

27 (which, of course, may be the same ^e of DES module, or may be the same module, as encryption module 21). The 
requested file #X may therefore be decrypted in conventional manner usmg key code KO to provide the accessed data 29 
text. The data is then returned to storage, either without or with new data modifications 3 1 that reflect a data-oriented tra 
such as sale, deposit, withdrawal, or the like, and is re-stored in encrypted foim using new key code Kl. This is accomp] 
resetting 38 the key code generator 23 to supply key code Kl to the encryption module 21 and returning the data 33 witi 
without modifications for encryption in module 21 with the key code KL In addition, the key-usage control file 19 is upi 
reflect that file #X was accessed and now resides in storage newly-encrypted with the new key code Kl m the sequence, 
the access-authorization files 15 may be updated optionally to inhibit filrlher access to file #X by user R, for example, to 
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R's further access until a "new date", or until accessed by another user, or the like. Subsequent access to file #X by user ] 
continuously authorized, or by any other user must be via decryption with key code Kl 1 , 

if file #X was previously accessed, then the key-usage control file 19 will contain the entry of file #X having been previ< 
- accessed-and returned-to-storage-enciypted-with-a-new-key code-K-l V-K2- . -J^j nlepending-ijpon-tiie-number-of-previous - 
accesses to file #X; Thus, with reference to the chart of FIG. 4 which illustrates the typical entries in the key-usage contr 
1 9, if file #X is file #00 1 00, then the previous accesses to this file resulted in its being re-stored encrypted with key code 
entry 37). The search of the key-usage control file 19 thus indicates that file #00100 was previously accessed twice and i 
requires decryption with key code K2. If authorization of the requesting user is still valid 39, then the key code generate) 
set to supply the key code K2 to decryption module 27 in order to furnish the data in this file in clear text 29. Re-storing 
fix>m this file in modified or unmodified form is accomplished by resetting 38 the key code generator 23 to supply key ct 
(entry 41 in FIG. 4) to the encryption module 17 for encryption tiierein of the returned data with the new key code K3. A 
retrievals of data in storage 17 may be by destructive read of information in the addressed file so that data for restoring tl 
may be written in the newlyencrypted form. After numerous accesses to files in storage 17, the key-usage control file 19 
typically include entries as illustrated in FIG. 4. Such file optionally may also include codes to identify the particular use 
gained access to each file. The file 19 thus provides an audit record of the accesses to the files in storage 17. In addition, 
usage control file 1 9 is in encrypted form shice it neither reveals the data in storage 17 northe actual key codes Kl . . , K 
generated by generator 23) required to decrypt the data in storage 17. Further, the key codes KO . . , Kn which serve as fi 
protect codes can be generated internally in conventional manner, for example, by a random-number generator 23 and th 
need not be known to anyone. 

After numerous accesses to the data in storage 17 which approaches the limit of the sequence of key codes for any partic 
file, or on a periodic basis, the entire collection of files in storage 17 may be re-encrypted with a new initial key code KG 
sequence of new key codes KO Kl ' . . . Kn ' using the apparatus illustrated in FIG. 3 under control of the central proce; 
imit 1 1. However, since the files in storage 17 are encrypted with different key codes, the key-usage control file 19 must 
consulted to determine which key code to use to decrypt the data in each file for re-encryption with a new initial key cod 
After completion of this reinitialization mode of operation, the key-usage control file 19 for the sequence of key codes K 
Kn may be retired to serve as an historic record of access to the data in storage 17 without compromising the security of 
system or of the data in storage 17 under new encryption codes. 
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Claims of corresponding document: US4588991 
I claim: 

1 . Method of securing data files in storage against unauthorized access, comprising the steps of: encrypting file data as a 
logical combination thereof with an initial one of a plurality of encryption key codes to produce file data in encrypted fo; 
storage at selected file address locations; establishing a record of accesses to each selected file address location and the c 
the plurality of encryption key codes with which the file data at the address location is encrypted; processing a request fc 
to file data at a selected file address location by determining fi-om the record the number of prior accesses thereof and thi 
encryption key code associated therewith; . decrypting file data at the selected file address location using said associated 
encryption key code; re-encrypting file data for said selected file address location using a new one of said plurality of en 
key codes m said selected logical combination; storing the newly re-encrypted file data at the accessed file address locat: 
modifying the record to indicate an additional access to the selected file address location and the new encryption key coc 
associated therewith. 

2. Method of securing data files according to claim 1 wherein in the step of decrypting, file data at a selected file address 
location is decrypted using said initial encryption key code in response to determination from the record that said selecte 
address location was not previously accessed 

3. Method of securing data files according to claim 1 comprising the additional steps of establishing a file of user access 
authorizations; and prior to accessing a selected file address location determining the authorization status of a user to gai 
to the selected file address location. 

4. Method of securing data files according to claim 3 comprising the additional step of selectively altering the access 
authorization of a user to gain subsequent access to the selected file address location in response to re-encryption of the J 
for storage at the selected file address location. 

5. Method of securing data files according to claim 1 comprising the steps of: reinitializing all the file data by decrypting 
data at each selected file address location using the encryption key code therefor determined from the record; and re-enc 
the file data at each such file address location using a new initial one of a plurality of key codes. 

6. Method of securing data files according to claim 5 wherein in the reinitialization step the file data at any file address I 
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which is not indicated in the record to have been accessed previously is deciypted using the initial encryption key code. 

7. Apparatus for securing data files in storage against unauthorized access, comprising: storage means for storing file dal 
encrypted form at selectable file address locations; encryption means for supplying encrypted file data to a selected file t 

— Jocation-as-theJogical-eacoding-combination-of-file-data-and-an-enciyptaoniey signal 

applying selected encryption key signals to the encryption means; record means for producing indication of selected file 
locations and key code signals associated with encryption of file data stored therem; circuit means responsive to identifit 
e selected file address location for determining fi-om said record means the encryption key signal associated therewith fo 
the generator means to supply the associated encryption key signal; deciyption means disposed to receive encryption ke} 
from the generator means and encrypted file data from the storage means and operable in accordance with said logical ei . 
combination to decrypt the file data at said selected file address location; and means operable upon the decrypted file dal 
altering the generator means to supply a new enciyption key signal for restoring the file data at the selected file address ) 
. newly enciypted with a new encJTption key signal, said means altering the record means to produce an indication of the 
encryption key signal associated with file data in the selected file address location 

8. Apparatus as in claim 7 wherein said circuit means is responsive to the indication in said record means that a selected 
address location was not previously accessed for setting said generator means to supply the initial encryption key signal 
decryption means. 

9. Apparatus according to claun 7 comprising: access record means for storing data representative of the authorization o: 
to selectively access file data in said storage means; and means disposed to receive identification data from a user, and o 
to said circuit means for inhibiting the generator means from supplying an encryption key signal to said decryption mear 
imauthorized, identified user. 

10. Apparatus as in claim 9 comprising means responsive to re-storing of file data at the selected file address location ne 
encrypted with a new encryption key signal for altering the identified user's authorization in said access record means to 
said selected file address location. 

11. Apparatus as m claim 7 comprising mitializing means coupled to said generator means, said encryption means and 
decryption means and to said record means for setting the generator means to selectively decrypt file data in each file ad- 
location using the enciyption key signals from said generator means established fittm the record means for each such file 
address location, and for re-encrypting the decrypted file data for each file address location using a new initial enciyptio] 
signal for re-storage at the respective file address location. 

12. Apparatus as in claim 1 1 wherein said initializing means responds to indication from said record means of no previoi 
access to a selected file address location for decrypting file data therein in using an initial enciyption key signal and for i 
encrypting the decrypted file data using a new initial encryption key signal to re-store the newly enciypted file data at tht 
respective file address location. 

13. A file access record produced by the process comprising the steps of: storing at selected file address locations fiOie da- 
encrypted as the logical combination of file data and selected ones of a plurality of enciyption key signals; decrypting fil 
a selected file address location using the encryption key signal associated therewith in accordance with said logical coml 
re-encryptmg the decrypted file data as a logical combmation thereof and a new encryption key signal for restoring at th( 
corresponding file address location; and producing said file access record as the compilation at least of the number of tin 
selected file address location was decrypted and information indicative of the encryption key signals with which the file 
each selected file address location was re-encrypted and re-stored therein. 
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